I've been blocking 3rd party cookies for 10 years. And yet, and yet, if I look at my cookies folder I see cookies from Google Analytics and from Facebook and DoubleClick, and others, even though I've never gone to those sites myself.

Not sure how useful 3rd party cookie blocking is when their content (ads, or just plain tracking scripts) loads in an iFrame on another site and then they become 1st party cookies.

The feature, aimed at preventing cross-site tracking of browser users with cookies not originating from the sites users visit, will still be available in the next Firefox release (due in June) but will be turned off by default.

It's my understanding that the only thing "controversial" about this is that it will be enabled by default. Firefox has had the ability to block third party cookies if the user chooses to, for god knows how long.

I've been blocking 3rd party cookies for 10 years. And yet, and yet, if I look at my cookies folder I see cookies from Google Analytics and from Facebook and DoubleClick, and others, even though I've never gone to those sites myself.

Not sure how useful 3rd party cookie blocking is when their content (ads, or just plain tracking scripts) loads in an iFrame on another site and then they become 1st party cookies.

You should try out self-destructing cookies if you use Firefox. It's ridiculous how many cookies some sites load up into your browser. I've seen that add-on message pop-up before telling me it's deleted over 30 cookies from a site that I visited just once. And that's with ABP fully enabled and social cookies being blocked.

But perhaps more significant is the arrival of support Asm.js, an optimized subset of JavaScript for boosting the performance of generated JavaScript code, arriving in the new OdinMonkey just-in-time JavaScript compiler.

Small note, might be more accurate to phrase it as "additional optimizations for" as opposed to "support" (since as a subset of JavaScript, asm.js is already fully supported by all modern JavaScript engines, and even optimized for in many cases - it's just that OdinMonkey takes those optimizations to a new level).

I've been blocking 3rd party cookies for 10 years. And yet, and yet, if I look at my cookies folder I see cookies from Google Analytics and from Facebook and DoubleClick, and others, even though I've never gone to those sites myself.

Not sure how useful 3rd party cookie blocking is when their content (ads, or just plain tracking scripts) loads in an iFrame on another site and then they become 1st party cookies.

Which is why I run Ghostery, BetterPrivacy, Disconnect, etc. on top of just turning off 3rd party cookies. Off-by-default is a good step, and will help people who don't use a lot of privacy settings, but this change (or delay) has zero effect on the more security conscious.

You should try out self-destructing cookies if you use Firefox. It's ridiculous how many cookies some sites load up into your browser. I've seen that add-on message pop-up before telling me it's deleted over 30 cookies from a site that I visited just once. And that's with ABP fully enabled and social cookies being blocked.

Try Ghostery too. Adblock+, NoScript and Ghostery are the triumvirate of privacy/security extensions for FF (substitute like NoScripts (yes, there's an s at the end) for Chrome). There are a few I go over and beyond for, but honestly, as long as you have those three, you should be 99% intrusion free.

I've been blocking 3rd party cookies for 10 years. And yet, and yet, if I look at my cookies folder I see cookies from Google Analytics and from Facebook and DoubleClick, and others, even though I've never gone to those sites myself.

Not sure how useful 3rd party cookie blocking is when their content (ads, or just plain tracking scripts) loads in an iFrame on another site and then they become 1st party cookies.

I've noticed the same thing a long time ago. When I look at the list of cookies on my computer I see the names of lots of places I have never visited. It would appear that the "3rd party cookie" setting of Firefox has never actually worked.

Then there's the problem that Mozilla's entire existance is pretty much dependent on the money they get from Google, whose gazillion-dollar-a-year business model is based on tracking people. Which makes me wonder just how serious Mozilla is about this.

You should try out self-destructing cookies if you use Firefox. It's ridiculous how many cookies some sites load up into your browser. I've seen that add-on message pop-up before telling me it's deleted over 30 cookies from a site that I visited just once. And that's with ABP fully enabled and social cookies being blocked.

Try Ghostery too. Adblock+, NoScript and Ghostery are the triumvirate of privacy/security extensions for FF (substitute like NoScripts (yes, there's an s at the end) for Chrome). There are a few I go over and beyond for, but honestly, as long as you have those three, you should be 99% intrusion free.

Ghostery is downright worthless with the right filters in place for ABP and NoScript is far too annoying for my liking. I used to use Request Policy but after a couple of months I couldn't bother with having to whitelist every site that I visit. NoScript would annoy me even more than Request Policy and god help my sanity if I ever used the two of them together.

You should try out self-destructing cookies if you use Firefox. It's ridiculous how many cookies some sites load up into your browser. I've seen that add-on message pop-up before telling me it's deleted over 30 cookies from a site that I visited just once. And that's with ABP fully enabled and social cookies being blocked.

Try Ghostery too. Adblock+, NoScript and Ghostery are the triumvirate of privacy/security extensions for FF (substitute like NoScripts (yes, there's an s at the end) for Chrome). There are a few I go over and beyond for, but honestly, as long as you have those three, you should be 99% intrusion free.

I used to use Ghostery, but I found out it significantly slowed down page loading (possibly in combination with some other add-on?). I have replaced it with Cookie Monster, which is also more user friendly (if I remember correctly), and it has more options, such as temporarily allowing certain cookies, and deleting certain cookies when the session ends.https://addons.mozilla.org/en-US/firefo ... src=search

When I started using Ghostery, I was worried that it would break a lot of things. There are some 3rd-party widgets that it can block (like Disqus) that people use to provide web-functionality, but it is designed well and you can tailor it quite nicely to your needs. Highly recommended!

when they announced this, i turned it on just to see how it felt. about all the annoyance i've had to deal with is disqus not working on some sites. and that's cool, because i waste too much time blathering on the internet anyways. so, yeah, recommended.

a week or so after that i checked "clear all cookies when firefox closes." that has also stayed on.

I see many people disliking Ghostery but you should try it out now - an updated, user-friendly experience with fine-grain control over the cookies. I set everything to be blocked and it never broken anything for me.

ABP is so good there's no need to talk about it anymore (except the fact that it doesn't prevent cookies, just showing the ads).

NoScript though is a tool for people with nerves of steel. I recommend it for the sole reason of security but it does take a lot of time for initial configuration for your everyday sites. I backup my blocklist and don't worry about it anymore. most of the sites I visit are configured properly now. fishy sites are blocked (by default) and when I go to a new site that shouldn't be problematic I usually allow first-domain scripts only with a click.

I wonder if they couldn't have at least made it such that 3rd party cookies are very short lived... no more than the session max, and probably no more than an hour. That shouldn't break much if anything and still prevent long term tracking.

Who's the sick @#$%^ who thought that one of the most surreptitious tools to track people should have an innocent name like cookie?

In all fairness, it seemed like a good idea 20 years ago. Sort of like ActiveX. Let websites install stuff on my computer? Sure, what could possibly go wrong.

In all fairness, cookies are bloody well essential for sanely doing many things on the web. Would you really like to have to include your username and password every time you comment on an article? What about on a forum where you may make many posts and want to track what you've read? And what about for people who want to see the mobile or desktop version of a site but don't want to be at the mercy of userAgent detection scripts?

Without cookies or some similar way of storing information the only way to keep you logged in or remeber settings for more than a single page view would be to put an identification string in the url. That is not a good idea for so many reasons.

Who's the sick @#$%^ who thought that one of the most surreptitious tools to track people should have an innocent name like cookie?

In all fairness, it seemed like a good idea 20 years ago. Sort of like ActiveX. Let websites install stuff on my computer? Sure, what could possibly go wrong.

In all fairness, cookies are bloody well essential for sanely doing many things on the web. Would you really like to have to include your username and password every time you comment on an article? What about on a forum where you may make many posts and want to track what you've read? And what about for people who want to see the mobile or desktop version of a site but don't want to be at the mercy of userAgent detection scripts?

Without cookies or some similar way of storing information the only way to keep you logged in or remeber settings for more than a single page view would be to put an identification string in the url. That is not a good idea for so many reasons.

Cookies are absolutely essential for sane browsing habits. Cookies that persist any longer than that needs to, whether that's at logout or closing of the browser or some other reasonable trigger, are evil. Cookies that don't aid in your transactions, but just keep track of your info for not disclosed purposes? Evil. Cookies (LSOs) that hide and aren't removed by normal cleaning methods? Spawn of the devil.

Cookies are absolutely essential for sane browsing habits. Cookies that persist any longer than that needs to, whether that's at logout or closing of the browser or some other reasonable trigger, are evil. Cookies that don't aid in your transactions, but just keep track of your info for not disclosed purposes? Evil.

Absolutely but what is interesting here, and what Mozilla is trying to do, is to automagically differentiate between those that are evil and those that are actually very useful for the user. The edge cases are trickier than one might naively imagine.

Quote:

Cookies (LSOs) that hide and aren't removed by normal cleaning methods? Spawn of the devil.

But they have nothing to do with browser cookies and everything to do with the Flash plugin. One more reason I don't like Flash.

Not surprised they caved on the cookies issue, but like others have said, there are ways around that, and have been for a while. The gesture would have been at most a minor inconvenience for more reputable advertisers.

I'm kind of excited about the web notifications thing. I tried Growler for Windows since a lot of OS X users seem to love this feature (?), but it wasn't for me. I like how notifications work in Android; in fact there's a lot that my smartphone can do that my desktop cannot, and that's kinda sad.

With regards to Stamford, I think The Office has helped put that name in the public consciousness. I mean the American version. That's the Dunder Mifflin branch Jim Halpert transfers to following the Jim-Pam-Roy love triangle in the first couple seasons, where he meets Andy Bernard and the whole "Tuna" thing starts. And wrestling fans know it as the headquarters of the WWE... but I just know it as where my wife's grandmother lives. (We take the exit right by the WWE building, too. It would be cool if we were into wrestling. But we're not, so it's just a really cool monolithic black building in a town where the roads are windy and too narrow (so you can't really look at it if you're driving).

Who's the sick @#$%^ who thought that one of the most surreptitious tools to track people should have an innocent name like cookie?

As with everything about the Internet when it was young, and consumer software itself was young, in the beginning a "cookie" was a very benign thing. It wasn't until the malicious hackers entered the picture along with rabid commercial interests that developers discovered that writing software for function alone wasn't enough--you had to also write to security as well as to function. A nice, neat challenge that wasn't met overnight, and is still being perfected.(duh).

I use Ghostery (along with Firefox 21 at the moment) to take care of my tracking stuff--read about it first right here on Ars, and I must say it's a quality program that interferes with...nothing. Every once in a blue moon--if you are a disqus member, for instance--it'll block disqus sometimes so that you can't make posts and you have to allow it in order to so. I just left that particular setting disabled permanently so as to keep disqus open--I seldom use it, though.

I've been blocking 3rd party cookies for 10 years. And yet, and yet, if I look at my cookies folder I see cookies from Google Analytics and from Facebook and DoubleClick, and others, even though I've never gone to those sites myself.

Not sure how useful 3rd party cookie blocking is when their content (ads, or just plain tracking scripts) loads in an iFrame on another site and then they become 1st party cookies.

To block these you should use NoScript and never allow google-analytics, etc.

I'm not sure what the big deal is - I've blocked 3rd party cookies for as long as I can remember, without ever noticing an unwelcome consequence.

For me it worked for a long time, until Chrome and Firefox tightened up their 3rd-party cookie handling a few months back. That broke the Google login for places like Engadget, Blogspot blogs, etc. I eventually figured out to add an exception in Chrome for "[*.]blogger.com", and in Firefox for... huh, looks like I forgot to set it up for Firefox. I should do that sometime. Hopefully the syntax is more intuitive than Chrome's.

I'm not sure what the big deal is - I've blocked 3rd party cookies for as long as I can remember, without ever noticing an unwelcome consequence.

For me it worked for a long time, until Chrome and Firefox tightened up their 3rd-party cookie handling a few months back. That broke the Google login for places like Engadget, Blogspot blogs, etc. I eventually figured out to add an exception in Chrome for "[*.]blogger.com", and in Firefox for... huh, looks like I forgot to set it up for Firefox. I should do that sometime. Hopefully the syntax is more intuitive than Chrome's.

This is my biggest concern for 3rd party blockers, not just disqus but any openid login systems and similar.I'm not sure what the answer is, unless whitelisting is made easier, or the list if cookies a site sets can be tracked (that would be good, from when you open a site to when you leave, you can see all the cookie changes that have happened)

What will happen with blocked 3rd party cookies is the advertisers will find a way to set their crap in a 1st party way, maybe wrapping their cookie in a cookie setr by the site they're embedded on via some js library.

I whitelist cookies using CookieMonster, not just third party cookies for that matter, my policy is deny by default. I do the same with scripts using NoScript, and even Referrers with RefControl. On top of that there is Ghostery for trackers and AdBlock Light.

The web is too hostile a place to be going around with all things turned on. Stylish has become a must have, as too many sites abuse white backgrounds.

Ah yes, if you want to serve me ads, you damn well serve them directly, from your server on your bandwidth; not use a third party. Don't worry gbjbaanb, NoScript takes care of countermeasures.

You've perhaps not quite understood the intention here. It's not to block all third-party cookies. Doing so would break some useful functions of many many sites. i thought the article explained it ok but it may help you to read the linked blog post or the patch (also linked to in the article).

Quote:

To this end, we are testing a patch from Jonathan Mayer. Jonathan’s patch matches how Safari has worked for years, and does the following:

Allows cookies from sites you have already visited.

Blocks cookies from sites you have not visited yet.

The idea is that if you have not visited a site (including the one to which you are navigating currently) and it wants to put a cookie on your computer, the site is likely not one you have heard of or have any relationship with. But this is only likely, not always true. Two problems arise:

False positives. For example, say you visit a site named foo.com, which embeds cookie-setting content from a site named foocdn.com. With the patch, Firefox sets cookies from foo.com because you visited it, yet blocks cookies from foocdn.com because you never visited foocdn.com directly, even though there is actually just one company behind both sites.

False negatives. Meanwhile, in the other direction, just because you visit a site once does not mean you are ok with it tracking you all over the Internet on unrelated sites, forever more. Suppose you click on an ad by accident, for example. Or a site you trust directly starts setting third-party cookies you do not want.

It goes on to explain they are doing real world testing to try to tease out these false positives and negatives.

Instead of going into several layers from: Edit -> Reference -> Privacy -> Remove individual cookies, I would like to have that direct link to "Privacy" icon sit right next to "Home" icon on the manual bar so I can click on it and manually delete all cookies without going through several layers to get to "Privacy". Is this too much to ask, Firefox? And no matter how it comes out on its next version, default or no default, it still beats the hell out of Chrome the way how you are to clearing off your cookies and history. It's a pain to have that second or two wait for the Chrome to open up another tap to clear your cookies and histories.

Um, no. Not in every case. Our e-commerce software issues 2 different cookies. One of them is the normal one that's used to track the user's session after they've logged in. The other one is the shopping-cart cookie, which has a much longer lifetime (90 days in our case). So no, a shopping-cart cookie is not evil; it's essential.

Who's the sick @#$%^ who thought that one of the most surreptitious tools to track people should have an innocent name like cookie?

In all fairness, it seemed like a good idea 20 years ago. Sort of like ActiveX. Let websites install stuff on my computer? Sure, what could possibly go wrong.

In all fairness, cookies are bloody well essential for sanely doing many things on the web. Would you really like to have to include your username and password every time you comment on an article? What about on a forum where you may make many posts and want to track what you've read? And what about for people who want to see the mobile or desktop version of a site but don't want to be at the mercy of userAgent detection scripts?

Without cookies or some similar way of storing information the only way to keep you logged in or remeber settings for more than a single page view would be to put an identification string in the url. That is not a good idea for so many reasons.

Cookies are absolutely essential for sane browsing habits. Cookies that persist any longer than that needs to, whether that's at logout or closing of the browser or some other reasonable trigger, are evil. Cookies that don't aid in your transactions, but just keep track of your info for not disclosed purposes? Evil. Cookies (LSOs) that hide and aren't removed by normal cleaning methods? Spawn of the devil.

I deal with cookies in Chrome by write-protecting the cookie file. This allows me to keep useful cookies (e.g. login credentials for sites where security is unimportant, site preferences, etc) while effectively turning all other cookies into "delete on close" cookies. This gives me the fine-grained control that is sadly missing from most browsers. I also use a SQLite database tool to change the expiry date on cookies that I want so that don't expire.

It would be really nice if browser developers would recognize that this kind of tweaking is desirable and incorporate it into browsers, but I've been waiting since the Netscape days and this happened yet.